Setting up your own PPTP VPN

When it comes to VPNs, there is the choice between PPTP and OpenVPN. PPTP is pretty quick to setup and works out of the box with most (all?) OSes and devices.

OpenVPN offers a little better security, but is a little more hassle to setup and use. Strong VPN has a good comparison.

There are many reasons for getting your own VPN. My major concerns was security matters:

  1. I’m accessing several services that are IP-restricted. This is cool when it comes to security, but not so cool when it comes to accessability when I’m not at the office.
  2. I’m frequently using open, untrusted WiFis. I wanted an encrypted connection to a more trusted peer.

Get a VPS

I got myself a cheap US$5/month VPS (1 core, 512MB RAM) and followed my own guide for getting your VPS up and running.

Install PPTP

Add the IP config for the VPN to /etc/pptpd.conf. This is the IP address the server will be using and the IP address range it will assign to the clients. You will most likely do good with these values:

If you for some reason already use the 10.0.0.0 net on your local network, use another private IP net, like 192.168.123.0 (replace “10.0.0.” with “192.168.123.” in the command above).

Now edit /etc/ppp/chap-secrets

This file has four columns: «client» which is the username for the VPN login (does not have to be a system account), «server» which should be «pptdp», «secret» which is the plaintext password (eek! I know), and «IP addresses» is the remote IP addresses which are allowed to connect.

Next you need to edit /etc/ppp/pptpd-options. Specifically the ms-dns option(s) which is the DNS server(s) the clients should use. Add one per line like this:

I have used Google’s public DNS servers. You may of course use the ones provided by your VPS host insted. Another good option might be the public DNS servers 208.67.222.222 and 208.67.220.220 from OpenDNS.

Start the PPTP server:

Enable the «forwarding» system parameter so you actually can connect to anything but the VPN server itself. Edit the file /etc/sysctl.conf and make sure these lines are in it:

Make the setting take effect:

Enable masquerading with iptables:

Install iptables-persistant to load the iptables rule on reboot:

(It’s important that you install this package after applying the iptables rule. It saves the current rules on installation only.)

Set up the client (Mac OS X)

Sorry, I can only cover Max OS X here.

  1. Go to System Preferences → Network
  2. Add a new interface (bottom left “+”)
  3. Set «Interface» to VPN, select «PPTP» as VPN Type and put a cool name in «Service Name»
  4. Add your server hostname and your VPN username
  5. Click «Authentication Settings» and add your VPN password
  6. Click «Advanced» and check «Send all traffic over VPN connection»
  7. Click «Connect» and you should be connected

P.S. It’s a good idea to check «Show VPN status in menu bar». It gives you easy access to connect/disconnect and of course; your connection status.

There are no comments

I love comments that bring new insights, shares ideas and experiences, and most of all: corrects my mistakes. For support questions, there are other fora, like Stack Overflow, Server Fault and the WordPress support forum.

Your email address will not be published. Required fields are marked *